J 



Europaisches Patentamt 
Eur pean Patent Office 
Office europgen des brevets 



0 Publication number: 



0 518 365 A2 



© Application number: 92109934.7 
© Date of filing: 12.06.92 



EUROPEAN PATENT APPLICATION 

© int. CI. 5 : G07F 7/10, H04L 9/32 



© Priority: 14.06.91 JP 143530y91 
10.07.91 JP 170131/91 

"© Date of publication of application: 
16.12.92 Bulletin 92/51 

© Designated Contracting States: 
DEFRGB 



© Applicant: NIPPON TELEGRAPH AND 
TELEPHONE CORPORATION 
1-6 Uchlsalwalcho 1-chome Chlyoda-ku 
Tokyo(JP) 



© Inventor Okamoto, Tatsuakl 
94-2-5-503, Nagasawa 
Yokosuka-shl, Kanagawa(JP) 
Inventor: Ohta, Kazuo 
2-10-34, Yamanone 
Zushl-shl, Kanagawa(JP) 

© Representative: Blumbach Weser Bergen 
Kramer Zwlrner Hoffmann Patentanw&lte 
Radeckestrasse 43 
W-6000 MUnchen 60(DE) 



CM 
< 

in 

CD 
€0 

00 

in 
o 

CL 
LU 



© Electronic cash system. 

© In an electronic cash system, K sets of blind signature information are derived from secret information 
containing identification information of a user (200, 400), K/2 sets of them are opened and a bank (100) attaches 
a blind signature to the remaining K/2 sets of information. The user obtains a signed license from the blind 
signature.. The user generates blind signature information from the license and a desired amount of money and 
gets a blind signature of the bank to the blind signature information and obtains electronic cash signed by the 
bank from the blind signature. The user presents to a shop (300) a residue power root of a node in a money 
hierarchial structure and the electronic cash, corresponding to the amount of money to be used, and the shop 
verifies their validity and, if they are valid, offers inquiry information to the user. The user offers, as response 
information, a residue power root of the node corresponding to the amount of money to be used to the shop. 
The shop verifies the validity of the response information and, if it is valid, acknowledges the payment with 
electronic cash of the amount of money to be used. 

FIG. 1 
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BACKGROUND OF THE INVENTION 

The present invention relates to an electronic cash system which implements the use of electronic cash 
through utilization of a telecommunication system or smart card by a bank who issues the electronic cash, a 

5 customer or user who uses the electronic cash and a shop who receives the electronic cash from the user 
and settles an account with the bank. 

An electronic funds transfer through a telecommunication system is now coming into common use. In 
general, a certificate which is refundable (such as a draft or check) has a symbolic function of its own 
(which guarantees its possessor to the rights stated thereon). When handled in the telecommunication 

io system, the certificate is in the form of digitized data, which can readily be copied for conversion into 
money a plurality of times. This problem is encountered as well in the implementation of electronic cash 
such as a prepaid card because it can also be copied many times for abuse such as refund or purchase in 
the possessor's name. 

Another method for the implementaion of such electronic cash system is to settle accounts later 
is through use of an electronic ID card (such as an electronic credit card or electronic check). This method 
differs in the manner or form of use (settlement of accounts) from the real cash system but can be regarded 
~ ~~as~bhe"kind"of application or-embodiment of me electronlcj^h^NMth the e lectronic credit card, the use of 

a digital signature as a substitute for a handwritten signature allows electronic processing "of airpieces of 

data involved and hence permits the transfer of information for settlement of accounts through telecommuni- 
20 cation circuits. However, the most crucial problem of this system is that the privacy of the user is not ever 
guaranteed-the same is true of the current credit cards and checks. That is, an organization which issues 
credit cards and settles accounts is capable of acquiring users' purchase records. 

On the other hand, it has been proposed by D. Chaum ("Security without Identification: Transaction 
Systems to Make Big Brothers Obsolute," Comm. of ACM. 28, 10, pp.1030-1044, 1985) thaUthe above- 
25 noted problems inherent with the prior art system could be solved by a combination of a blind digital 
signature scheme and an on-line check for each transaction at a shop (that is, the shop inquires on-line of a 
management center about the double usage or abuse of the user's blind digital signature). From the 
viewpoints of the processing time (or user's waiting time), the communication cost, the on-line processing 
cost and database maintenance and management cost at the management center and so forth, the above- 
so said inquiry from the shop to the management center for each transaction is feasible on a small scale but 
cannot be said to be practical, ft is therefore preferable that the procedure between the user and the shop 
at the time of payment of electronic cash be executed off-line just like a sales-person verifies the validity of 
ordinary or real cash by the senses of sight and touch and performs local (off-line) processing accordingly. 
Taking the foregoing into account, the criteria describing the ideal electronic cash system are as 
35 follows: 

(a) Independence: The security of electronic cash cannot depend on any condition. Then, the cash can 
be transferred through networks. 

(b) Security: The ability to copy (reuse) and forge the cash must be prevented. 

(c) Privacy (Untraceability): The privacy of the user should be protected. That is, the relationship 
40 between the user and his purchases must be untraceable by anyone. 

(d) Off-line payment: When a user pay the electronic cash to a shop, the procedure between the user 
and the shop should be executed in an off-line manner. That is, the shop does not need to be linked to 
the host in user's payment procedure. 

(e) Transferability: The cash can be transferred to other users. 

45 (f) Dividability: One issued piece of cash worth value C (dollars) can be subdivided into many pieces 
such that each subdivided piece is worth any desired value less than C and the total value of all pieces 
is equivalent to C. 

The last two criteria (e) and (f) are naturally called for from the viewpoint of the hardiness of electronic 
cash. The dividability (f) is a relatively severe criterion that even the real cash system cannot satisfy. That 

so is, it is impossible to subdivide a hundred-dollar bill into 10 pieces each worth $10. This is the reason why 
we must hold many bills and coins in our wallets. On the other hand, the current prepaid card systems 
feature, this function and trade on the handiness based thereon but do not satisfy the criteria (a), (b) and (c). 

Recently there hav been proposed som lectronic cash systems which satisfy the crit ria (a), (b), (c) 
and (d). Of them, a system by Chaum et a). (D. Chaum, A. Fiat and M. Noar, "Untraceable Electronic 

55 Cash,* the Proc. of Crypto '88, pp.31 9-327, 1988) satisfies these four criteria but fails to satisfy th criteria 
(e) and (f). Moreover, this system involves communication and proc ssing of an appreciably large amount of 
information between the bank and the user upon each issuance of electronic cash. A system by Okamoto 
and Ohta (U.S. Patent No.4.977,595) satisfies the criterion (e) in addition to the tour criteria (a) through (d) 
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. and satisfies the criterion (f) to some extent. 

In the Okamoto and Ohta system the user obtains a blind signature of the bank to user information V, 
generated from secret information Si containing the user's identification (ID) in a raw form and holds the 
signed user information as a license Bj. When the user wants the bank to issue electronic cash, he obtains 

5 the blind signature of the bank to a set of k/2 pieces of authentication information X| produced from k/2 
pieces of random information R| and the license Bj, and uses the thus signed information as electronic cash 
C. When the user pays with the electronic cash at a shop, he shows the k/2 pieces of authentication 
information X), k/2 pieces of user information V, t the license B,, etc. to the shop together with the electronic 
cash C and executes an authentication with interactive proof property by which the user makes a response 

io Y ( to an inquiry E ( from the shop. The security of this method is based on the difficulty in the calculation of 
the higher degree roots. In the event that the user has committed invalid double usage of the electronic 
cash (that is, when the user has used twice the user information V| and the authentication information JQ of 
the same group), two sets of different inquiries Et and responses V| with respect to the user information V| 
and the authentication information X| of the same group are reported to the bank; so that the secret 

75 information S| of the user can be obtained from the two sets of inquiries and responses, and hence the 
user's ID contained in the raw form in the information Sj can be specified. 

With the system proposed by Okamoto and Ohta, it is necessary that after issuance of the electronic 

cash C the k/2 pieces of authentication information X| corresponding to~ k/2 pieces of random information -Ri 
be stored on, for example, a smart card together with the license Bj. Assuming, for example, that the 

20 amounts of data necessary tor one piece of authentication information Xj and the license Bj are each 64 
bytes and k/2 = 20, then the above system requires as large a storage capacity as 64 x 21 bytes for only 
these pieces of information. 

In the Okamoto-Ohta system, an electronic coupon ticket is also proposed, in which one piece of 
electronic cash can be subdivided into many pieces whose values gsQ all equivalent In this system, 

25 however, if the user pays for an article with cents, the store receives an enormous number of one-cent 
electronic coupon tickets from the user. For example, when the price of the article is $356.27, the store 
receives 35,627 electronic coupon tickets, where the data size of each ticket is several bytes. Thus the 
store receives about 200 megabytes of data for the transaction of just one article-this is utterly impractical. 

30 SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to provide an electronic cash system which guarantees 
protection of the privacy of users and prevents abuse of electronic cash through any conspiracy and in 
which the data sizes of electronic cash and the associated information to be held by each user are small. 

35 Another object of the present invention is to provide an electronic cash system which guarantees 
protection of the privacy of users and prevents abuse of electronic cash through any conspiracy and in 
which one issued piece of electronic cash of a certain face value can be subdivided a desired number of 
time into many pieces each worth a desired value until the total value of all subdivided pieces becomes 
equal to the value predetermined when the electronic cash was issued and in which the data size of each 

40 subdivided piece of electronic cash is smalt. 

According to an aspect of the present invention, the electronic cash system in which the user has 
electronic cash and the license issued by a bank is entitled to use the electronic cash, includes the 
following steps: 

Step 1: The user furnish the store with a composite number which is the product of at least two prime 
45 numbers, the electronic cash and information containing the licence; 

Step 2: The store checks the validity of the license and the composite number and. if they are valid, 
prepares and offers an inquiry to the user; 

Step 3: In reply to the inquiry, the user computes a power residue of a desired function using the 
composite number as a modulus and shows it as a response to the store; and 

so Step 4: The store verifies the validity of the response through utilization of the composite number. 

According to another aspect of th present invention, the electronic cash system in which the user uses 
th electronic cash issued by the bank, includ s the following steps: 

Step 1 : The bank establishes a hierarchial structure table which is a tree having a required number of 
levels and in which one node corresponding to the face valu of the electronic cash issued to th user is 

55 defined at the highest lev I, nod s of lower levels are sequentially branched from the node of the high st 
levels just lik a tree and the unit value of each node is mad to correspond to the total valu of the 
immediately d scendant nod s branched therefrom; 

Step 2: The user selects a combination of nodes corresponding to the amount of money used from th 
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hierarchial structure table in accordance with the following restrictions: 

(a) Once a node is used, all of its ancestor and descendant nodes cannot be used; 

(b) No node can be used more than once; 

Step 3: The user creates amount of money information corresponding to each node and offers it and 

5 electronic cash to the store. 

In the first-mentioned aspect of the invention, the utilization of the power residue in the procedure 
between the user and the store is to use an even power root employing, as a modulus, a composite number 
called a Williams integer-this is based on the fact that the composite number used as the modulus can be 
factorized into prime factors by use of two different types of even power roots. That is, it is possible to 

ro utilize the principle that if the user abuses electronic cash, his identity (ID), which is his secret information, 
is revealed through the factorization of the modulus into prime factors. In the execution of this principle the 
amount of data to be held by the user is small, because the calculation of the residue power root, which is 
provided to the store, does not call for such k/2 random numbers R, as are needed in the fore-mentioned 
Okamoto-Ohta system. 

is In the second-mentioned aspect of the invention, a hierarchial structure table corresponding to the 
structure of electronic cash is constructed, and when the electronic cash is used, cash within a certain face 
jyalue can be used in a manner corresponding to the structure of the table. 



BRIEF DESCRIPTION OF THE DRAWINGS 

20 

Fig. 1 is a block diagram illustrating an example of the system to which the present invention is applied; 
Fig. 2 is a flowchart showing, by way of example, the procedure for issuing a license; 
Fig. 3 is a block diagram showing the construction for the license issuance proceeding on the part of the 
« user; 

25 Fig. 4 is a block diagram showing the construction for the license issuance processing on the part of the 
bank; 

Fig. 5 is a block diagram illustrating an example of communication for the electronic cash issuance 
procedure; 

Fig. 6A is a block diagram illustrating the construction for the electronic cash issuance procedure on the 
30 part of the user; 

Fig. 6B is a block diagram illustrating the construction for the electronic cash issuance procedure; 
Fig. 7 A is a hierarchial structure table of electronic cash; 

Fig. 7B is a diagram showing the structure of a r table corresponding to the table depicted in Fig. 7; 
Fig. 7C is a diagram showing the general hierarchial structure of electronic cash; 
35 Fig. 8 is a diagram showing an example of communication in the procedure for using the electronic cash; 
Fig. 9 is a block diagram illustrating the construction for the electronic cash using procedure on the part 
of the user; 

Fig. 10 is a block diagram illustrating the construction for the electronic cash using procedure on the part 
of the store; 

40 Fig. 1 1 is a diagram showing an example of communication in the case of transferring the electronic 
cash; and 

Fig. 12 is a diagram showing an example of communication in the case of payment by transferred 
electronic cash. 

45 DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Fig. 1 shows a system to which the present invention is applied and in which a bank 100, users 1 (200) 
and 2 (400) and a store 300 are interconnected via telecommunication networks, for example. The users 1 
and 2 may also pay the store directly with smart cards, not via the telecommunication networks. 

50 In the electronic cash system according to the present invention, the bank (i.e. an organization that 
issues electronic cash and settles accounts) 100 issu s a lie nse wh n the user opens an account with the 
bank 100. Then, the bank 100 issues electronic cash (referred to also as an electronic bill) of a c rtain face 
value to the user at his request. The user uses the electronic cash many times to pay at various stores until 
the face value of the electronic cash is reached. Finally, each store settles an account with the bank 100 for 

55 each payment of the electronic cash by the user. 

PRELIMINARY PROCEDURE 
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First of all, the bank 100 creates, as information corresponding to the license, a secret key dA and 
public keys eA and nA which are used for an RSA digital signature, and lays the keys eA and nA open to 
the public. Furthermore, the bank 100 creates, an information corresponding to the face value of the 
electronic cash, a secrete key dA' and public keys eA' and nA' which are used for the RSA digital signature, 

s and lays the keys eA' and nA' open to the public, together with the face value. On the other hand, the user 
creates a secret key dP and publick keys eP and nP which are used for an RSA digital signature and lays 
the keys eP and nP open to the public, together with identification information ID P , of his own. The RSA 
digital signature scheme is disclosed in, for example, U.S. Patent No.4,795,063 and is well-known in the art. 
Incidentally, the RSA digital signature which the bank uses may be substituted with any other blind 

10 digital signatures (T. Okamoto and K. Ohta, "Divertible Zero-Knowledge Interactive Proofs and Commutative 
Random Self-Reducible," Proc. of Eurocrypt '89, 1989). The RSA digital signature for the user may also be 
replaced with any other digital signatures. 

The bank further defines and keeps there random functions f r , f A and f 0 open to the public. These 
functions are used to determine the value of each node of hierarchial structure tables (a T table and a A 

is table) described later on. These functions are, for example, universal hash functions or pseudo-random 
generating functions. In the following description, A - B mod C represents a calculation (called a residue 

calculation)-for_obtaining_a_ residue JVb y dividin g _BJ>y C and A»B (mod C) a residue calculation using C 

as the modulus with respect to both of A and B. — - - 

20 (1) Procedure for Issuing License 

A description will be given first of the case where the user (hereinafter identified by 200), who has 
newly opened an account with the bank 100, has a license issued from the bank 100 by the cut-and-choose 
methodology. The user 200 creates K sets of randomized blind signature information W t from- secret 
25 information S f containing the identification information ID P , of his own (such as his account number), or more 
specifically, user information h derived from the secret information Si). The bank 100 makes the user 200 
open L (which is smaller than K) sets of information in the K sets of blind information. H the opened 
information is correct, then the bank 100 produces a blind signature W with respect to the remaining 
unopened (K-L) sets of information and transmits it to the user 200. The user 200 calculates a signature B 
30 of the bank 100 for the user information lj from the blind signature W received from the bank 100 and uses 
the thus calculated bank signature as a license B. 

The procedure for the user 200 to have the bank 100 issue the license is such as described below. Fig. 
2 shows an example of communication between the bank 100 and the user 200. Figs. 3 and 4 show 
arrangements for license issuance processing on the part of the user 200 and on the part of the bank 1O0, 
35 respectively. The following description is given on the assumption that i = 1 , 2, .... K. 

Step Si: The user 200 generates random numbers aj and r ( by means of a random generator 201. The 
random number a, is input into a concatenator 204, together with the identification information ID P , and 
the concatenated output (ID P 0 a*) is applied to a one-way hash function calculator 205. The output g(ID p D 
a,) of the hash function calculator 205 is provided to RSA signing equipment 206 together with the user's 
40 secret key dP and opened key nP for signature to obtain 

ft = (g(ID p 0 a,)) dP mod nP (1) 

45 Step S2: The output of the signing equipment 206 is provided to a concatenator 207 together with the 
information ID P and the random number at, wherein secret information Si = ID P II ai II D, is obtained. 
Furthermore, the secret information Sj thus obtained is input into a divider 208, wherein it is divided into 
S,j and Szj such that S| = S,., D Szj. 

Step S3: A prime generator 202 is used to generate two primes P t and Qi which satisfy P, = 3(mod 8) 
50 and Q| q 7(mod 8), and their product, Nj = P,Q lr is obtained with a multiplier 203, where the composite 
number N, is th Williams int ger. 

Step S4: The divider outputs S u and S 2 .i and the composite number N, are provided to modulo residue 
power calculators 209 and 21 1, from which the following outputs ar obtained: 

55 I, j = (Su) 2 mod N, 

1 2 j = (Szj) 2 mod N| (2) 

Th se outputs are applied to a concatenator 210, wherein user information 1 ( - I,., 0 fej is calculated. 
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Step S5: The composite number N t and the information l t are provided to a concatenator 212 and its 
output, l| 0 Nj.is applied to a one-way hash function calculator 213, from which g(l| fl N|) is obtained. On 
the other hand, the random number r ( is input into an RSA encoder 215 together with the public key (eA, 
nA) of the bank 100 to obtain therefrom (n) eA mod nA. Next, the outputs of the one-way hash function 
s calculator 213 and the RSA encoder 215 are applied to a modulo power calculator 213 and the RSA 
encoder 215 are applied to a modulo power calculator 214 to obtain blind signature information W| 

W, = <r ( ) oA g(l, 8 N|) mod nA (3) 

/o The blind signature information W, (where i = 1,2 K) is transmitted to the bank 100. 

Step S6: Next, in order to make the user 200 open his identification information ID P and a desired one of 
the K sets of information a* P,, Q|, D f and to make sure that the 200 has correctly executed steps SI 
through S5, The bank 100 randomly selects L (L < K) values of i, for example, K/2 values of i, from i = 
1, .... K and transmits then as a disclosure request, U = {ii i^} . to the user 200. For the sake of 

;s brevity, let it be assumed that ii = K/2 + 1, = K/2 + 2, .... i^ = K are specified to be opened. It is 
hot always necessary that L = K/2, but this value improves the efficiency of processing. 
TH5lep~S7rupo7T~receipt of the disclosure-request U-from^the^bahk_100,_the user 200 opens his 
identification information ID P and the pieces of information a,, P,, Q|, D| and t\ of the bank's specified K/2 
sets. When the i is the object to be opened, the bank 100 performs the following procedures. 

20 Step SB: The bank 100 verifies the validity of the received signature D( by use of the pieces of 
information a* and ID P received from the user 200 and his public keys eP and nP. That is, the pieces of 
information a* and D| are concatenated by a concatenator 104, the output of which is applied to a one- 
way hash function calculator 105 to obtain g(ID p 0 a,). On the other hand, the identification information ID P 
and the public keys nP and eP received from the user are encoded by an gSA encoder 107, and the 

25 encoded output and the output of the calculator 105 are compared by a comparator 106. If they do not 
match, no further processing will be done. 

Step S9: The pieces of information aj, P|, Q| and !D P received from the user 200 are provided to a 
multiplier 103 to obtain Nj = P| • Q,. Further, the pieces of information aj, ID P and Dt are concatenated 
by a concatenator 108 to obtain the secret information St, which is divided by a divider 109. The divided 
do outputs are provided to modulo power calculators 110 and 112, wherein it is subjected to a modulo 
power calculation using the composite number Nj, and their outputs are concatenated by a concatenator 
1 1 1 to obtain the user information l|. 

Step S10: The information lj and the composite number N| thus obtained are concatenated by a 
concatenator 113, the output of which is applied to a one-way hash function calculator 114. The received 
35 random number ri and the public keys eA and nA are supplied to an RSA encoder 117 to the obtain (ri) eA 
mod nA. The outputs of the encoder 117 and the calculator 114 are provided to a modulo power 
calculator 115, wherein the following equation is calcuated: 

W, = (r,J^g(IJ N.) mod nA (3)' 

40 

Step S11: The value of the previous information W, and the value of the current information W, are 
compared by a comparator. 116. If they match, the information W ( will be accepted, but if they do not 
match, then no further processing will be executed. In this way, the bank 100 checks all of the K/2 i's, 

45 and if any one of them is rejected, then the subsequent processing will not be performed. When all the 
i's are found good, then the bank performs the following procedure to attach its blind signature to the 
remaining sets of information corresponding to t = 1 , K/2 which are not the objects to be opened. 
Step S12: Based on the public key nA and secret key dA of the bank 100 and the blind signature 
information W, from the user 200, the following blind signature is obtained by a modulo multiplier 118 

so and an RSA signature generator 119: 



W= (II Wj ) mod nA - ( 4 ) 

55 " - 

Then, th bank 100 sends the blind signature W to the user 200. 

Step S13: Upon rec ipt of the blind signatur W from the bank 100, the user 200 calculat s the license 
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B from the random number n and me public keys ea and nA by a modulo multiplier 216 and a modulo 
divider 217, using the intermediate term of the following equation: 



K/2 

B=W/ (n r i ) mo d 



K/2 

n A= <n g 



( I i II N i ) ) dA m o d n A 

( 5 ) 



ro The intermediate term of Eq, (5) is equivalent to the left-hand side, and accordingly, the license B is 
equivalent to the user information I signed by the bank 100 using the secret key dA. 

(2) Procedure for Issuing Electronic Cash 

75 Next, a description will be given of the procedure for the user 200 to get an electronic bill issued from 
the bank 100. At first, the bank 100 generates, as information corresponding to the face value of the 
Electronic bill7^fs~of th'e^secret key dA' and-the public keys eALand nA' for RSA diqitaj signature and 
opens the keys eA* and nA* together with the face value of the electronic bill. Frg. 5 shows an example~of 
communication between the bank 100 and the user 200 in this instance. Figs. 6A and 6B show 

20 arrangements for electronic bill issuance processing on the parts of the user 200 and the bank 100, 
respectively. 

Step S1: The user 200 generates random numbers b and r by means of a random generator 201 and 
derives g(B D b) from the random number b and the license B by use of a concatenator 204 and a one- 
way hash function calculator 205. <pn the other hand, the random number r and the bank's public keys 
25 eA 1 and nA* corresponding to the face value of the electronic bill to be issued are supplied to an RSA 
encoder 215 to create authentication information r**', and this information and the output, g(B B b), from 
the one-way hash function calculator 205 are provided to a modulo multiplier 214 to calculate 

Z = r^'g (B I b) mod nA' (6) 

30 

thereby obtaining blind signature information Z corresponding to the face value of the electronic bill to be 
issued. 

Step S2: The blind signature information Z is sent to the bank 100 together with information about the 
face value of the electronic bill, 
as Step S3: Having received the information Z, the bank 100 supplies an RSA signature generator 119 with 
the information Z and the secret key dA* corresponding to the face value of the electronic bill to obtain 

Z' = Z dA ' mod nA\ 



40 That is, the bank 100 generates a blind signature T corresponding to the amount of money to be 
withdrawn from the user's account and then sends the blind signature Z' to the user 200. At the same 
time, the bank 100 withdraws the amount of money concerned from the user's account or receives the 
corresponding amount of money from the user 100. 

Step S4: Having received "the blind signature Z' from the bank 100, the user 200 inputs the random 
45 number r and the received information T and public key nA* into a modulo divider 217 to obtain the 
following bank's signature to the authentication information and the license: 

C = Z'/r mod nA* = (g(B II b)) dA * mod nA* (7) 

so where C corresponds to the electronic bill. 

The abov -described electronic cash issuing procedure has its f ature in that the user 200 derives the 
blind signatur information Z corr sponding to a desired amount of money from the concatenation of the 
license B and the random number b inst ad of using such K/2 pieces of random information R) as ar 
ne dad in the afor -mentioned Okamoto-Ohta system. Accordingly, the user 200 needs not to hold, as 

65 information on the electronic cash, such K/2 pieces of random information R) and the storage capacity for 
storing piec s of information B, C and N) on the electronic cash is small and henc is practical. 



(3) Paym nt of Electronic Cash 
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A description will be given first of number-theoretic preparations necessary for explaining divide and 
use ot electronic cash in the electronic cash system according to the present invention and then ot a money 
hierarchial structure on which the divide and use of the electronic cash are based. 

5 Preparatory Number Theoretic Conventions 

Definition^ N is called the Blum integer if N = PQ (P, Q are prime) and P = 3(mod 4), and Q = 3(mod 
4). N is called the Williams integer if N = PQ (P, Q are prime) and P = 3(mod 8), and Q = 7(mod 8). Note 
that the Williams integer is a specific type of the Blum integer and therefore has all properties of the Blum 
io integer. 

Let (x/N) denote the Jacobi symbol, when N is a composite number, and denote the Legendre symbol, 
when N is a prime. When N = PQ (P, Q are prime), can be classified into four classes as follows: 

I, (x/Q) = i i 

H — - -1-1 

-I, ( x / Q ) - I } and 
- I . ( x/Q) = - I I ( 8 ) 



15 Z ( i. i) = IxezjJ I (x/P) = 

Z M . i) = Ixez* I (x/P) =- 
Z (-i.-i, = Ixez! I (x/P) =- 



Clearly, Zp. d denotes the set of quadratic residue integers in z£ . Hereafter, QR N will often denote Zp. 
25 n , and QNR N as the other classes. 

Proposition 1: Let N be the Blum integer, and xeQFVHien, for any integer (1 $ t), there are four values 
yi, y2, V3, y* such that 

30 (y, ) 2 * = x (mo d N) - (9) 



and that yi eZ< v y 2 eZ<i. yaeZ(-i. d« v « € ?h. -i>- 
In addition, 

35 

yi a - y*(mod N), (10) 

yz B - ya (mod N), (11) 

40 (yi /N) = (y 4 /N) = 1, and (12) 

(y? /N) = (y 3 /N) = - 1 (13) 

The above proposition immediately implies that four values of 2'-th root y of x can be uniquely 
45 determined by two bit information; one is whether (y/N) = 1 or -1, and the other is whether y < N/2 or not. 
In other words, when y < N/2, there are two values of y, one of which is (y/N) = 1 and the other is (y/N) = 
-1. 

60 xi/2* mod N (l£t) 

can be computed efficiently (in xpected polynomial time) from x, P, Q, and (y/N) can also be 
computed efficiently from y and N, while to compute 



55 



xi/2* mod N 
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from x and N is as difficult as factoring N. 

Proposition 2: Let N = PQ be the Williams integer. Tfien. for any 



5 xezl, 

either one of x, -x, 2x and -2x is in OR*. In addition, when axeQFV, (a is either 1, -1, 2, or -2), bx is not is 
QRw (b*a, and b is either 1, -1, 2, or 2). 
10 The above proposition 2 is easily proven by the following result: 

(. 1/P) = 1/Q) = -1.<2/P) = - 1, 

(2/Q) = 1. 

75 Definition: Let N be the Williams integer, and x^QRm. 

~[ x^ 1 mod ~N] 0R ~=y~ ~ ^(14) 

20 

such that 

y2 t = x ( m0 d N) and VEQR N , 

[x^^od Hl x =y' ~ (15) 

such that 

(y ') 2t =x (mod N). 

(yVN) =1 and 0 < y' < N/2, and 

[xW'mod N] -| = y " ... (i 6 ) 

Let N be the Williams integer, and zeZ N . such that 

40 

(y'^'sx (mod N). 

45 (y'7N) = - 1 and 0 < y* < N/2, where 1 < t, 
<Z> QR = dzmod N (17) 
such that de {±1, t2} and (dz mod N) eQRn, 

50 

(Z)i = d'z mod N (18) 

such that d'e {1, 2} and (d'z/N) = 1, and 

65 <Z>-i = d"z mod N (19) 

such that d"e {1, 2} and (d"z/N) = - 1 

From the properties of the Williams number (and th Blum number), ach value of y, y\ y", d, d\ d" is 
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uniquely determined, respectively. 
Hierarchical Structure Table 

5 In the present invention, the. hierarchical structure table plays an important role because it allows the 
issued electronic bill C to be subdivided into many pieces such that each subdivided piece worth any 
desired value less than C and the total value of all pieces is equivalent to C. 

The hierarchical structure table is a tree of t levels, in which each node has two sons, the unique root 
node exists at the top ot the tree. So, there are 2 m " t nodes at the m-th level. Here, the significance of the 
io tree in the cash system according to the present invention will be shown. For easy understanding, let it be 
assumed that the tree has three levels, and the value of the issued bill C is $100. The nodes of the m-th 
level correspond to $100^ nM . So, the customer can use the bill in $25 increments, since the nodes of the 
bottom level (the third level) correspond to $25 as shown in Rg. 7A. 

Followings are restrictions to the usage o1 the bill with respect to the tree: 
/5 (1) The value corresponding to any node is the total ot the values corresponding to nodes that are the 
direct sons of this node. 

_^^^(2) Wh en a node ( the conres ponjing_yajue) is used, all descendant nodes and all ancestor nodes of this 
node cannot be used. — — 
(3) No node can be used more than once. 
20 Here is shown the case where a customer uses $75 first and then uses $25. When the customer uses 
$75, he or she must use nodes 00 ($50) and 01 0 ($25). From the above restrictions, only a node 01 1 ($25) 
will be left which can be used after the use ot the nodes 00 and 010 as can be seen from Fig. 7 A. 

More generally, if the customer wants to use a bill worth $1000 by the cent, he or she would need a 
hierarchical structure table of 17 leveIs^(log z 100,000 = 16.5). The customer would then use about 8 nodes 
25 in average (minimum: one node; maximum: 16 nodes) in order to pay by the cent for each purchase (e.g., 
$33436 payment). 

Moreover, in the embodiment of the cash scheme that will be shown hereinafter, two hierarchical 
structure tables (T table and A table) are used; r table is used to realize the first restriction (1), and A table 
to realize the second restriction (2). r table and A table have the same structure such that they are trees 
30 with the same topology (or the same number of layers) as shown in Fig. 7B, and that node values 



rv ... Jt and r 



I] Jt 

both correspond to the same node position ji ... j, in the money structure table. In the example of Fig. 7B, 
Too and Aoo correspond to the same position node 00, That is, the left node of $50, of the money structure 
table in Rg. 7 A. 

First, for easy understanding, a simple example of procedure will be shown, where the user 200 pays 
40 $75 to the shop 300 based on the hierarchical structure table of three levels. Here, let it be assumed that 
the user 200 has received $100 bill C from the bank 100. 

Step 1: As the preliminary procedure, the user 200 computes the value of r \ 0 for each of i = 1, .... K/2 
as follows: 

<s r I(0 = <f r (C II 0 0 N,)> QR (20) 



Step 2: When the user 200 decides to pay $75, first the user computes Xloo corresponding to $50 and 
X(.oio corresponding to $25 for each of i = 1, K/2 as follows: 



60 



X(.od = [ (r l(0 ) v4 mod Nj]-i (21) 

Xi.oio= KOijo r,, 0 ) ,/8 mod N,J-i (22) 

55 where Q, t0 = <fQ(C 0 0 0 N,)>, (23) 

The user send (l t N,. Xu>o, Xlo 10 ) tor all i = 1 ( .... a K/2 and (B, C) to the shop. 
Note: The abov calculation of X|.oo and X|. OIO is based on th following algorithm: 
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Xu>o = [(r,.oo) ,/2 mod NiJ-i (24) 
Xuno= [(r ( .oio) 1/2 mod NJ-1 (25) 

5 

where l\,oo = [{r w ) ,/2 mod NJ QR (26) 
Iwo = [(Qw(r w ) ,/2 mod N,1q R (27) 

>o r lt010 = Kr^j^modN^R (28) 

Here, summarizing the algorithm, first, the values r L00 and r^io of r ( table corresponding to the nodes 
i,00 and i,010 are calculated, then the square roots of these values in QNR (these Jacobi symbol values 
are -1) are defined as X|. 0 o and Xloio- 
75 Step 3: The shop 300 verifies the validity of the signatures B for (I,, N } ), and C for B. The shop computes 
Oi,o and f r (C 0 0 B N,), then verifies the validity of X,. 00 and X|. 0) o for each of i = 1, .... K/2 such that 

T>WN.) = (WN.P^I (29) — ■ ~ ~ — 

20 



x L00" d i f r (CII 0 HNj )(mo d Ni) 
xf 010 =diQj 0 f r (C II 0 II Nj )(mod Ni) 

ao where djE {±1, ±2} for i = 1 K/2. If they are valid, the shop 300 selects random bits, E LO o, Ei.dio s [0, 

1] for i = 1 K/2, and sends them to the user 200. Otherwise, the shop halts this procedure. 

Step 4: The user 200 computes 

36 Y ioo = [ (A | 00 ) 1/2 mod N J ] H) E,.oo - (32) 

Y i.oio = C <Ai.oio> 1/2 mo d N j ]{_j)E 1,010 -(33) 

40 

and sends (Yi. 0 o. Yi.oio)(i = 1 K/2) to the shop 300. Here, 

A IOO = <f A(C 0 00 0 N|))qr and (34) 
45 A,.oi 0 = <f A (C II 010 1 N,)> QR (35) 

Step 5: The shop 300 verifies that 

50 



55 



- (30) - 

- (31) 
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(Y i.OO /N, > = (- 1 ) Ei ' 00 - (36) 

(Y i.oio /N i } = ( " 1) Eko, ° - (37 > 



* Y 2 j Q0 = d f A (C II 0 0 II N i Mrnod N j ) and - (38) 

70 

yf 010 Hd* f A (C II 0 10 II Ni )(mo d Ni ) . - (39) 

ts 

where dV d" e {±1, ±2} for i = 1, .... K/2. If verification succeeds, the shop accepts the user's 
messages as $75 from electronic bill C. 



Procedure for Payment of Electronic Cash 

20 

Next, a concrete procedure between the user 200 and the shop 300 for the use of electronic cash, 
shown in Fig. 8, will be described with reference to Figs. 9 and 10 which respectively show arrangements of 
the shop 300 and the user 200 for the procedure of the use of electronic cash. A description will be given 
later on of the cases where the user 1 (200) transfers electronic cash to Jhe other user 2 (4fl0) and where 

25 the latter pays with the transferred electronic cash at the shop 300. The following description will be made 
of the payment with the electronic bill issued from the bank 100. 

The bank 100 established a money hierarchial structure (Fig. 7C), similar to that depicted in Fig. 7A, 
corresponding to the face value of the electronic cash C to be issued, defines the corresponding r table 
and A such as shown in Fig. 7B and further defines the random functions 1 r , f A and f n . These pieces of 

30 information are all opened to the public. In many cases, a plurality of nodes of the hierarchial structure 
tables correspond to the amount of money to be used, but since the processing corresponding to the 
respective nodes is basically executed by the same algorithm and can be performed in parallel, the 
following description will be given of the processing for only one node. The position of the node concerned 
is expressed by h k* »• ii Gi € {0» 1 }> 1 - 1 ■ •■•» *)» wnere * represents the level to which the node belongs 

35 (Fig. 7C). In the following, i = 1, 2, .... K/2, accordingly the numbers of r and A tables used are K/2, 
respectively. 

Step S1: at first, the user 200 obtains of the following equation from the pieces of information C and 
N, by use of a random function r calculator 220: 



40 r,, 0 = <f r (C II 0 D N|)) Q r (40) 

Next, the information C, the nodes ji ... j, corresponding to the amount of money to be used and the 
information Nj are provided to a random function 0 calculator 221, generating 

45 

Q U|... I t 
(where t = 1 , t) expressed by the following equation: 



Q l. J,- J, = < f Q (G " J' 1 II •" II i £ II N j ) > , - (41) 

55 

Moreover, amount of money information 
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10 



15 



x i.j,...j, • 

which is the residue power root of a value for the node corresponding to the amount of money to be 
used, is obtained, by the following equation (42), from r\ 0 , 

Q i. ij ... i £ 

(where 1=1, t) and N, through use of a residue power calculator 222, a modulo multiplier 223 and a 
modulo power calculator 224. Here, Nj is the Williams integer, which has already generated by the 
multiplier 203 depicted in Fig. 3. 



Xi.j,...j= C C H* F ltf r it0 ) 1/2< mod N, 



(42) 



20 Note: The above calculation 



x i.ji ...j t 

— ■ 

25 

of is based on the following algorthm: 
1/2 

x u r j,= cr i.J,"i, mod N i ] -i - < 43) 

where 

35 

r i.i,-jr CQ ur-«i r ^ -i. mod N ' ] « ~ (44) 

40 Step S2: The user 200 sends 



45 

(where i = 1 K/2), fj, j t ) and (B, C) to the shop 300. 

Step S3: The shop 300 verities the validity of the signature to (l ( I N,) of the license 6 on the basis of the 
public key (eA, nA) by use of a concatenates 304, a one-way hash function calculator 305, a modulo 
multiplier 309, an RSA encoder 310 and a comparator 311, that is, a check is made to see if the 
50 following equation holds. 



B e * s {n g ( I « II N, ) } (mod nA) -(45) 



K/2 



Moreover, the shop 300 v rifi s the validity ol th signature to (B D b) of the electronic cash C on th 
basis of th public key (eA', nA') by use of a concatenator 312, a one-way hash function calculator 313, a 
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w 



is 



25 



30 



35 



modulo multiplier 303, an RSA encoder 314 and a comparator 315, that is, a check is made to see if the 
following equation holds. 

g(Bl b) = C cA 'modnA t (46) 

If the validity of the signature is rejected, then the subsequent processing will not be performed. 
Step S4: The shop 300 makes a check to see if the amount of money information 

x i.i,...i, 

satisfies the following relationship, by use of a Jacobi symbol calculator 316 and a comparator 317. If 
not, then the subsequent processing will not be executed. 



(X U 1 ^i, / NLL=rJL_: - (47) 



20 Step S5: Next, the shop 300 derives fr(C II 0 0 N|) from C and N| by means of a random function r 
calculator 324. Besides, the shop 300 inputs C, ji.„ j, and N, into a random function 0 calculator 321 to 
generate 



(where 4 = 1 t) by the following equation: 

Q l.l,-ir <f Q <CII i, II -II j, II Nj ) >, ... ( 48) 

Further, the shop 300 obtains the following equation by means of a modulo power calculator 322: 

F i # iQ | 2 f ,/f i l mo d N. , * « 1 . ... . t - 1 
i. * a. j| — \£ i 

40 . Then the shop 300 calculates the following equation through utilization of the outputs of the modulo 
power calculator 322 and the random function r calculator 324. 



f r ( C II 0 II N j ) ♦ Q Mi ... j£ ( It = 1 . .... t ) 



45 



Step S6: The shop 300 uses the outputs of a modulo power calculator 318 and a modulo multiplier 323 
to obtain, by means of a modulo divider 319, d, which satisfies the following equation: 

so 9 t fl 

x i i,» i»= d i n F, ,f r (C II 0 UN. Km od N , ) •» (49) 

I t £ nj 

and verifies th validity of th amount of money information 
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16 



by checking whether the d; matches ± 1 and ±2 by means of a comparator 320, where i = 1 K/2. 

Step S7: The shop 300 sends random 

E ui...i, e 

bits 

(0. T| (i = 1 K/2) 

derived from a random generator 301, as inquiry information, to the user 200. 

Step S8: The user 200 calculates the following equation from C, ji ... j t and N, by means of a random 
function A calculator 225. 

Ai Jl ~ j . t ^f A Lc_iLLiJ.rJ!JjL!L^l«_ (50) 



20 Next, response information of the following equation is calculated from 

At, . and E • , 

26 by use of a modulo square root calculator 226. 

Yi.l r .j= C (A ) 1/2 mod Ni ] H) E,. - (51) 

30 

The user 200 sends the response information 

I. J i ••• i t 

to the shop 300. 

Step S9: The shop 300 makes a check to see if the response information 



35 



40 



T i.i| — J-t 

satisfies the relationship of the following equation, by use of a Jacobi symbol calculator 325 and a 
comparator 326. If not, the subsequent processing will not be executed. 

< Y U,~j/N, ) = <-l) B| - ... (52) 



50 



55 



Next, the shop 300 inputs C, ji ... j, and N, into a random function A calculator 328 to obtain 
fA(Cij, Oh ON,) 

and, at the sam time, calculates th following equation 

V Ur ..j t mo d N ( 
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by use of a modulo power calculator 327. The outputs are applie d to a modulo divider 329 to obtain d'i 
which satisfies the following equation: 



yf.j r »j | -d' j f A (C II j j II »-|| j t II Nj )(mo d N,) -(53) 

Further, the shop 300 checks the d'i by a comparator 330 as to which of ±1 and ±2 it matches. If it 
io matches either one of them, then the shop 300 will regard the payment of the amount of money 
corresponding to the node ji ... j, of the electronic bill as valid and receive it 

In the above example the electronic cash is subdivided into a plurality of pieces each worth a desired 
value, but in the case of using the full face value of the electronic cash by one payment, the user 200 does 
not conduct step S1 in Fig. 8 but instead he transmits the pieces of information l lt N )( B and C to the shop 

rs 300 in step $2. The shop 300 makes the check in step S3 and if the license B and the electronic cash C 
are found valid, then the shop 300 receives them and does not perform the subsequent steps $4 through 
— ^-S6 immediately_generates_thejnquir y information 5 in step S7 and sends it to the user 200. The user 200 
produces, in step S8, response information Y| by, for exarhple^Eqsr(50pand (51 )~with _ ji— .»jr remove- 
therefrom and provides it to the shop 300. The shop 300 perform the verification in step S9 by use of Eqs. 

20 (52) and (53) with ji ... j t removed therefrom. In the case of using the electronic cash without subdividing it 
into pieces as mentioned above, the transmission of information in step S2 may be done at the same time 
as the response information Y, is transmitted in step S8. 

It must be noted here again that since the amount of money information X) is calculated through use of 
the random function f 9 and the r labia in step SI . it is onlyjhe license B, the electronic cash C, the random 

25 number b, the user information l| and the composite number N } that the user 200 has to hold for showing to 
the shop 300 in step S2. In contrast thereto, it is necessary in the afore-mentioned Okamoto-Ohta system 
that the user hold not only these pieces of information but also k/2 pieces of secret information X, generated 
from k/2 random numbers when the electronic cash was issued. Moreover, when calculating the response Y t 
of Eq. (51) in step S8 t the user 200 obtains the modulus power root of the random function f A through 

30 calculation; namely, k/2 random numbers Rj used for the issuance of electronic cash in the Okamoto-Ohta 
system are not used for the generation of the response Y ( , hence the amount of information which is held 
together with the electronic cash is extremely small. That is, the present invention permits the verification by 
calculating the modulo power roots of certain functions, such as expressed by Eqs. (43), (44) and (51) and 
providing them to the shop, whereas the Okamoto-Ohta system produces a verifiable response through use 

35 of the random numbers Rj used at the time of issuing the electronic cash. 

(4) Transfer of Electronic Cash 

At first, a hierarchial structure table is established corresponding to the face value of the electronic bill 
AO and its minimum unit of use and the positions of nodes in the table are determined corresponding to the 
amount of money to be transferred. 1 

Next, a description will be given of the case where the user 1 transfers the electronic cash to the user 2. 
Fig. 1 1 shows an example of communication between the users 1 and 2. In the following, variables with 
one prime " ,n are related to the users and variables with two primes w,,n are related to the user 2. The 
45 variables have the same meanings as defined previously, unless otherwise specified. 

Step Si: The nodes corresponding to the amount of money to be transferred are made nodes jit ... jj - 
(where ji e {0, 1}) (Fig. 7B). The user 1 (200) performs, as the user 1 in Fig. 8, a procedure similar to 
that for the payment of electronic cash to the shop 200 and the user 2 (400) executes, as the shop 300 
in Fig. 8, a procedure similar to that for receiving from the user 1 (200) electronic cash corresponding to 
so the nodes \\\z ... j,. It many cases, a plurality of nodes of the hierarchial structure table correspond to the 
amount of money to be transferred, but as described previously with ref rence to Fig. 8, the processing 
corresponding to each nod is executed by basically the same algorithm and the procedur s of the 
respective nodes can b xecuted in parallel. 

Step S2: When the user 2 (400) has found, by the communication in step S1 , that the licens B, the 
65 electronic cash C, th amount of money information 

X i.i l ...i t 
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and the response information 

Y U|...J t 

5 

of the user 1 are valid, the user 2 (400) shows his license B" to the user 1. 

Step S3: The user 1 (200) creates the following deed of transfer T through utilization of the license B u of 
the user 2 (400) and offers it to the user 2. 

io T = {<(<g(C 0 j, • • • j, # • • • • ' • jV 0 B")) QR } ,/2 mod N'i (54) 

where jt ... i x #..J}f\ ...jY represents all the nodes corresponding to the amount of money to be transferred. 
Step S4: After verifying the validity of the deed of transfer T by making a check to see if the following 
equation (55) holds, the user 2 (400) holds the history H' of the above procedure (steps Si and S3) as 
76 transferred electronic cash. 

""~"<g(ClK*" # " # T#~'-*^ — (55)__ 



(5) Payment with Transferred Electronic Cash 

20 

Next, a description will be given of the procedure by which the user 2 (400) pays with the transferred 
electronic cash at the shop (300). 

At first, a hierarchial structure table is established corresponding to the face value of the electronic cash 
and its minimum unit of use as mentioned previously, and that one of the nodes corresponding to the 
2s transferred electronic cash which is used to payment is determined. 

Fig. 12 shows an example of communication between the user 2 (400) and the shop (300). 
Step S1: The user 2 (400) first the transferred electronic cash H' to the shop (300). Further, the user 2 
(400) informs the shop (300) of the amount paid and the corresponding node. 

Step S2: The shop (300) verifies the validity of the electronic cash H* and checks if the node 
30 corresponding to the payment is included in the nodes corresponding to the transferred electronic cash. 
If they are not found good, the processing is stopped. 

Step S3: The user 2 (400) and the shop 300 follow the procedure of the user 1 in Rg. 8 and the 
procedure of the shop 300 in Rg. 8 to perform the procedure of payment of the node concerned. In the 
execution of the procedures depicted in Rg. 8, the transferred cash C is used as the electronic cash C 
35 and the pieces of information N", and B" of the user 200 (400) are used as N, and B. 

(6) Settlement of Accounts 

Next, a description will be given of a method of settlement of accounts between the shop 300 and the 
40 bank 100. The shop 300 offers to the bank 100 a history H (or H') of the communication with the user (200) 
or (400) for the transaction therebetween and demands the bank 100 to pay the amount of money 
concerned. The bank 100 checks whether the same electronic cash C as that the information H offered 
thereto has been already recorded on an information memory, and if not, the bank 100 verifies the validity 
of the information H (or H'). If the information is found good, then the bank 100 will store it in the information 
45 memory and pay the charged amount of money into the shop's account. In the case where the same 
electronic cash is found in the records stored in the information memory, the bank 100 uses the pieces of 
information offered thereto together with the electronic chases to check if the afore-mentioned two 
restrictions (a) and (b) concerning the use of the node are satisfied or not, and if satisfied, then the bank 
100 will pay the charged amount of money into the shop's account and store the information H in the 
so information memory. When either one of the two restrictions are not satisfied, the composite number N| is 
factorized into prime numbers to obtain the secret information Sj of the abuser and determines his 
identification information ID P . 

S curity 

55 

First, it will be shown that a third restriction of th hierarchial structur table is securely realiz d. If user 
200 uses any part of electronic bill C (any node of th hierarchial structure table of C) more than once, the 
bank 100 can obtain th identity ID P of th user 200 with overwhelming probability, since the Williams 
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integer N can be factored in polynominal-time trom [x 1/z mod N]i and [x 1/2 mod N]- t , and since the shop 
300 challenges the user 200 randomly using the A table, along with the cut-and-choose methodology. That 
is, in the case where the user 200 has used the same node at two shops in Fig. 8, the probability that 
inquiry random bits Ej produced by the two shops match in a!) i's is very low. For at least one i the one 

5 shop generates E| = 1 and the other shop generates Et = 0. Then, the response Y ( that the user 200 
produces for each shop in step S8 contains, for the same i, the above-noted Y, = [x 1/2 mod N]- t . and Y ( = 
[x ia mod N]i. Thus, the bank 100 can ultimately obtain the pieces of information P, and Oi by easy 
factorization of the composite number N ( into prime factors on the basis of these two different pieces of 
information Y, contained in the information related to the same electronic cash C collected from the two 

io shops. As a result, the secret information S, can be obtained using the user information l (l hence the 
identification information ID P contained in the information Sj can be known. For the same reason, when the 
electronic cash is used twice in the embodiment wherein the electronic cash is not subdivided, the secret 
information § of the abuser is obtained and his identification information ID P is revealed. 

Next, it will be shown that the second restriction of the hierarchical structure table is securely realized. • 

;s Here, for easily understanding, a simple example will be given, where the value of C is $100, and the user 
200 pays $75 to the shop 300 (see Fig. 7B). Note that the cut-and-choose methodology is also implicitly 
c7uciaFih~^^ring^drrectness.-aJthough detailed-explanationjs_o mitted her e (roughly, according to this 
methodology, it is possible to assume that l|, N| are correctly generated). ~ ~ ~ 

The first restriction is satisfied as follows: When nodes 00 and 010 are used, then all descendant and 

20 ancestor nodes of these nodes, 0, 00, 001 and 01 cannot be used. When node 00 is used, the user 200 
sends the following value information 

X,,oo = [(W* mod NJ-1 (i = 1 K/2) 

25 to the shop 300 (and finally to the bank 100). Then, if the customer 200 uses node 000, the user 200 sends 
the following value information 

**» = l(r l(0 oo) 1/2 mod Ni]-, (i = 1 K/2). 

30 Since it holds that 

WW 2 mod N,)i = (X ^oo) 2 mod N,, 

the bank 100 can factor N, from X,^ and (X^o) 2 mod N,, then the identity ID P of the user 200 is revealed. 
35 Similarly, if node 0 or 001 is used with node 00, or if node 0 or 01 is used with node 010, then the identity 
ID P of the user is revealed. Therefore, when nodes 00 and 010 are used, then nodes 0. 000 and 01 cannot 
be used, with concealing the identity ID P of the user 200. 

Finally, the necessity of random variable 0 will be shown using a simple example as follows: Assume 

that 

40 

is a constant value, e.g., 3. Then, in Fig. 7B, r 0 i = 3(r 0 ) ic , where the suffix of i and mod N, are omitted for 
45 simplicity. So, when a customer uses the nodes of 00 and 01 , he opens the following values 

Xoo= (r 0 ) 1M and X01 = {3<r 0 ) 1/2 } 1/2 = 3 1 * (r D > 1M . 

where the jacobi symbol values of Xoo and Xoi are -1. Then, the shop 300 can obtain 3 1/2 by calculating 
so Xoi /Xoo, where thB jacobi symbol of this value is 1. The same situation occurs when the customer uses the 
nodes 000 and 001, and so on. Therefore, suppose that a custom r uses nodes 000, 001 and 0110, whose 
usage is valid, which means h opens Xooo. xooi, Xoio and Xono. Then, the shop 300 can calculat V = 
3 1/z by Xooi/Xooo, and also calculate th value of Xoi i by VX010. Ther for , the shop can factor N by using 
the values of Xon and (Xoi ^of, where the jacobi symbol of Xon is -1 and that of (Xono) 2 is 1. Thus, the 
65 shop can know the custom r's ID, although the customer uses the nod s validly. 

As described above, th present inv ntion has its feature in that the amount of information r lated to 
electronic cash, which the us r has to hold, is small r than in the aforem ntioned Okamoto-Ohta system. 
Moreover, according to the pres nt invention, lectronic cash once issu d can be subdivided into many 
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pieces each worth a desired value until the total value of all the pieces become equal to the face value of 
the electronic cash determined when it was issued. 



Claims 

5 

1. An electronic cash system wherein a user who possesses electronic cash and a license issued from a 
bank uses said electronic cash, including: 

Step 1 wherein said user furnishes a shop with information containing a composite number, said 
electronic cash and said license, said composite number being the product of at least two prime 
to numbers; 

Step 2 wherein said shop verifies the validity of said license and said electronic cash and, if they are 
valid, creates and offers inquiry information to said user; 

Step 3 wherein said user calculates, following said inquiry information, a residue power root of a 
function using said composite number as a modulo and provides it as response information to said 
rs shop; and 

Step 4 wherein said shop uses said composite number to verify the validity of said response 

information. — — — — — _ 

2. An electronic cash system wherein a user uses a license and electronic cash issued from a bank, 
20 including: 

Step 1 wherein said bank establishes a hierarchial structure table which is a tree having a plurality of 
levels and in which one node corresponding to the face value of said electronic cash issued to said 
user is set to the highest level and nodes of lower levels are sequentially branched from said node 
of the highest level in a tree form, and a unit value $ made to correspond to each node so that the 
25 unit value corresponding to a desired node is equal to the total sum of the unit values of 

immediately descendant nodes branched therefrom; 

Step 2 wherein said user selects a combination of nodes corresponding to the amount of money 
used from said hierarchial structure table in accordance with the following restrictions: 

(a) Once a node is used, all of its ancestor and descendant nodes should not be used thereafter; 
30 and 

(b) Each node should not be used more than onece; and 

Step 3 wherein said user creates amount of money information corresponding to each of said 
selected nodes and offers it to said shop together with said electronic cash and said license. 

35 3. The electronic cash system of claim 2 wherein: in the case of paying with said electronic cash at said 
shop, said user provides residue power roots corresponding to said selected nodes, as said amount of 
money information to said shop in said step 3; said shop verifies the validity of said license and said 
electronic cash and, if they are valid, provides inquiry information to said user; said user generates 
response information corresponding to said inquiry information from said shop by obtaining residue 

40 power roots of values corresponding to said nodes in said hierarchial structure table and then provides 
said response information to said shop; and said shop verifies the validity of said response information 
from said user and, if it is valid, allows the payment with said electronic cash of said amount of money 
used.. 

as 4. The electronic cash system of claim 1 wherein said composite number is the Williams integer. 



5. The electronic cash system of claim 1 or 2 wherein when said user opens an account with said bank, 
said user performs: 

step S1 wherein said user produces K sets of first blind signature information by blind processing of 
go secret information containing identification information ol said user by a random number, K being an 

integer equal to or greater than 2; 

step S2 wherein said bank makes said user open L s ts of said blind signatur information and, if 
said opened pieces of information are correct attaches a blind signature to the remaining unopened 
K - L sets of said first blind signature information and transmits th m to said user; L being greater 
55 than 2 but smaller than K; 

step S3 wherein said user calculates the signatur of said bank to said user information from said 
blind signatur r ceived from said bank, thereby obtaining said signed user information as said 
licence; 
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and 

wherein when said user withdraws electronic cash of a certain lace value from said bank, said 
user performs: 

step S4 wherein said user produces authentication information containing said license and generates 
s second blind signature information by blind processing of said authentication information by a public 

key corresponding to the face value of said electronic cash to be withdrawn and transmits said 
second blind signature information to said bank; 

step S5 wherein said bank attaches a blind signature to said second blind signature information, 
using a secret key corresponding to the amount of money to be withdrawn and transmits said signed 
w second blind signature information to said user; and 

step S6 wherein said user calculates the signature of said bank to said authentication information 
from said blind signature received from said bank and uses said signed authentication information as 
said electronic cash. 

ts 6. The electronic cash system of claim 1 or 3 wherein said shop transmits all communications between 
_ said user and said shop to said bank to settle an account, said bank verifies the validity of said 
cornlnunicatibns'and, if they are valid r stores-mem-in a memory^a^^vf^njhe same electronic cash is 
used fraudulently, said bank calculates secret information of said user used for the generation of said 
license. 

20 

7. The electronic cash system of claim 2 wherein when said user, who is a first user, transfers said 
electronic cash to a second user with a license in said step 3, said first user defines a node 
corresponding to the amount of money of said electronic cash to be transferred in said hierarchial 
structure iablB and provides to said second user said electronic cash and a residue power root of the 

2$ value corresponding to said node corresponding to said amount of money to be transferred; said 
second user verifies the validity of said electronic cash and provides inquiry information to said first 
user; said first user generates response information corresponding to said inquiry information from said 
second user by obtaining a residue power root of the valve corresponding to said node in said 
hierarchial structure table and offers said response information to said second user; said second user 

30 verifies the validity of said response information from said first user and, rf it is valid, shows said license 
of his own to said first user; said first user generates, as a deed of transfer, a residue power root 
corresponding to information containing the node position representing said amount of money to be 
transferred, said electronic cash and said license of said second user and provides said deed of 
transfer to said second user; and said second user verifies the validity of said deed of transfer and 

35 acknowledge the transfer of said electronic cash of said amount of money. 

8. The electronic cash system of claim 7 wherein when said second user uses said transferred electronic 
cash at a shop, said second user determines the amount of money to be used, within said transferred 
amount of money, determines a node corresponding to said amount of money to be used in said 

40 hierarchial structure table corresponding to said transferred electronic cash, offers said electronic cash 
and said deed of transfer to said shop together with a residue power root of the value corresponding to 
said node; said shop verifies the validity of said electronic cash and said deed of transfer and provides 
inquiry information to said second user; said second user generates response information correspond- 
ing to said inquiry information from said shop by obtaining a residue power root of the value 

45 corresponding to said node in said hierarchial structure table and offers said response information to 
said shop; and said shop verifies the validity of said response information from said second user and, if 
it is valid, acknowledge the payment with said electronic cash of said amount of money to be used. 

9. The electronic cash system of claim 8 wherein when said shop provides all communications between 
so said second user and said shop to said bank to settle an account; and said bank verifies the validity of 

said communications and, if they are valid, stores them in a memory and if said electronic cash is us d 
fraudulently, said bank obtains th identification information of said user by calculating seer t informa- 
tion of said us r used for th g n ration of a license. 

55 10. The electronic cash system of claim 6 wherein said bank mak s a check to see if th sam electronic 
cash as that in information r c ived from said shop has already been stored in said memory, and if so, 
ch cks wh ther said two pieces ol respons information attached to said two pieces of lectronic cash 
hav portions which do not match, and if so, said bank factorizes a number corresponding to said 
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portion to prime numbers to obtain the identification number of said user. 

11. The electronic cash system of claim 3 wherein said shop transmits all communications between said 
user and said shop to said bank to settle an account; said bank makes a check to see if the same 
6 electronic cash as in information received from said shop has already been stored in said memory, and 
if so, checks whether at least two nodes used for said two pieces of electronic cash satisfy said 
restrictions or not, and if not said bank factorizes numbers corresponding to said two nodes into prime 
factors to obtain the identification number of said user! 

10 ' 
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FIG. 1 
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FIG. 3 
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FIG. 6 A 



200 



201- 



RAN 



204 



b||B 



205 n , A ' 214 



215 



E-RSA 
f 

nA'.eA' 



MUL MOO 



V 



217 



DIV MOD 

— f~ 

nA' 



TO 100 



k-^- FROM 100 



FIG. 6B 




EP 0 518 365 A2 



FIG. 7A 
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FIG. 10 



^ L- — ^309 



304 305 
3I0vh > .^C^^ZW 



nA Ii.Ni, B.C 



B 

B."b~ 



^ E-RSA \ 
nA, eA 



301 




CO, Hi 



<fQ>l 



Qi. j.-Ji 



1 ft 


Fi.i . 




POWER 






MUL MOD 


- 1 






t 








Ni 



-324 



i . j i — * J « t 



Ni- 



YACOB 



Nt- 



^^^^ 



SQ MOD R 327 OK/NG 



(-t) Ei 
OK/NG 



Yi. ji " jt 




(±1.±2> 



EP 0 518 365 A2 




EP 0 518 365 A2 



FIG. 12 



(400) 


SHOP 


(300) 


H' 






sf 








CHECK VALIDITY 




OF H' 





A 

/ IMPLEMENT PROCEDURES OF 
( FIG. 8 FOR EACH OF NODES 



C -C 
Ni-Ni" 
B ->B" 



